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In re Patent Application of: 

APPLICANTS: Dan Boneh, Richard DeMiilo, Richard Lipton 
SERIAL NO- 09/516,910 
FILED: March 1,2000 
GROUP ART 2766 

TITLE: A Method of Using Transient Faults to Verify the Security of a Cryptosystem 

ASSISTANT COMMISSIONER FOR PATENTS 
WASHINGTON, D.C. 2023 1 

SIR: 

Preliminary Amendment 

Prior to examination of the above-identified application, which is a continuation of Serial 
No. 08/933,541, filed September 19,1997, please amend said application as follows: 

In The Specification 

Page 3, line 23, after "key^, delete and ins6 
Page 4, Hne 2, before mod", delete "e" and insert — ej — 
Page 5, line 8, before "s", delete "^^9." and iffsert/ - Hj^s-- 




Page 8, line 4, after "cryptosystems", delet^'using" and inseff — which uses --. 
Page 18, line 17, after "not", delete "devisable" and ins'erT^^^^^v^ — . 
Page 39, line 18, after "cryptosy&tertis^Cdelete "are" and insert - and ~. 
In the Claims — 

Cancel claims 1 through^ ^^^and add the following claims 40 through 53. 

40. A method for determining secret information contained in a first cryptography device 
using a second cryptography device, the method comprising the steps of: 

a. generating an electrical signal comprising a stream of bits containing a correct 
digital signature in said first cryptography device; 
5 b. transmitting the electrical signal containing the correct digital signature to said 

second cryptography device; 
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c. placing said first cryptography device under physical stress and in response to the 
physical stress, generating an electrical signal comprising a stream of bits containing an 
incorrect digital signature in said first cryptography device; 
0 d. transmitting the electrical signal containing the incorrect digital signature to said 

second cryptography device; 

e. in a processor in said second cryptographic device, determining secret information 
q stored in said first cryptography device using: 

gcd(E-E,N) = q 

5 wherein N is a product of prime numbers, and one of the prime numbers is q; and 

f . generating an output electrical signal comprising a stream of bits containing the 
secret information used to generate the correct signature. 

41. The method of claim 40 wherein said first cryptographic device generates a digital 
signature which may be separated into linear components. 

0 42. The method of claim 40 wherein placing said first cryptography device under physical 

stress includes at least one of applying atypical voltage levels, applying a higher speed than 
said first cryptography device was designed to accommodate, or applying radiation. 

43. A method for determining secret information contained in a first cryptography device 
using a second cryptography device, the method comprising the steps of: 
5 a. in said first cryptography device, generating an electrical signal comprising a 

stream of bits containing a first authentication value of form r^ mod N wherein r is a random 
number and N is a secret value which is a product of prime numbers and transmitting said 
electrical signal containing the authentication value to said second cryptography device; 

b. in said second cryptography device, generating an electrical signal comprising a 
0 stream of bits containing a subset of integers S and transmitting said electrical signal 

containing the subset of integers to said first cryptography device; 

c. in response to receipt of the electrical signal containing the subset of integers, 
generating in said first cryptography device an electrical signal comprising a stream of bits 
containing a second authentication value of form y = (r + E) Flies Si wherein y is an erroneous 

5 value, Si is a secret exponent used to encrypt, and E is a value added to r due to an error and 
transmitting said second authentication value to said second cryptography device; 

d. in response to receipt of the electrical signal containing the second authentication 
value, determining in a processor of said second cryptography device a value for E by 
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computing: 



40 (r + E)' (modiV) 

wherein v. = sf ; 

f . determining in the processor of said second cryptography device a value of r by 
computing: 

(r + e)' - - 2Er + E' (mod iV) ; 

4 5 g. in response to the calculated values of E and r, determining in the processor of said 

second cryptography device a value for Si by computing: 

n,e.^,=^(modiV);and 
r + E 

y/^ h, generating an output electrical signal comprising a stream of bits containing secret 

information flies Si. 

5 0 44. The method of claim 43 wherein the step of determining Si further includes the step of 

computing in the processor in said second cryptography device: 

n.. ^ (modiV). 



45. The method of claim 43 further comprising the step of determining in the processor in 

5 5 said second cryptography device whether the value of E satisfies the relation {y') = (r')^r^ by 

using the subset of integers S; wherein T is a guessed value for Hies Sj. 

46. The method of claim 43 wherein the step of generating the electrical signal comprising 
a subset of integers S in said second cryptography device includes generating a plurality of 
subsets of S. 

6 0 47. The method of claim 46 wherein the step of generating in said first cryptography 

device an electrical signal comprising a second authentication value in response to receipt of 
the signal containing the plurality of subset of S further includes generating a second 
authentication value for each subset S of the plurality of subsets S received. 

48. The method of claim 47 wherein the step of generating a plurality of subsets S in said 
6 5 second cryptography device further comprises generating singleton sets. 

3 

R: \DEPTINFO\PATENTS\APPLNS\1245\prelim_ain.doc 



PATENT 
APP 1245-US 



49. A method for determining secret information contained in a first cryptography device 
using a second cryptography device, the method comprising the steps of: 

a. placing said first cryptography device under physical stress and in response to the 
physical stress, generating an electrical signal comprising a stream of bits containing an 

7 0 incorrect digital signature in said first cryptography device; 

b. transmitting the electrical signal containing the incorrect digital signature to said 
second cryptography device; 

c. in response to receipt of the electrical signal containing the incorrect digital 
signature, selecting a block length in a processor of said second cryptography device; 

7 5 d. determining in the processor of said second cryptography device a candidate 

vector w that matches all known bits of the secret information and is zero elsewhere by 
computing: 

wherein ki is a time at which an error may have occurred; sj is a bit which may be incorrect; r is 

8 0 a possible blocklength; and u is a bit which may be incorrect; 

e. determining in the processor of said second cryptography device whether 
candidate vector w is correct by computing: 

3ee {0,...,n}s.r.(^^- ±2'm7)" =m.(modA^) 

wherein e = a public exponent; 

8 5 n = a number of bits in the secret information; 

mj = a message; 

Cj = a public signature verification exponent; and 
N = a product of prime numbers; 

f. if the candidate vector w is correct, generating an output electrical signal 

9 0 comprising a stream of bits containing a value for the selected block length; and 

g. if the candidate vector w is incorrect, determining in the processor of said second 
cryptography device another candidate vector. 

50. The method of claim 49 wherein the steps (c) - (f) are performed for a plurality of 
block lengths. 

9 5 5 1 . A method for determining secret information contained in a first cryptography device 

using a second cryptography device, the method comprising the steps of: 
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a. generating in said second cryptography device an electrical signal comprising a 
stream of bits containing a challenge t and transmitting the electrical signal containing the 
challenge to said first cryptography device; 
10 0 b. in response to receipt of the electrical signal containing the challenge t, generating 

in said first cryptography device an electrical signal comprising a stream of bits containing a 
response of form u = r -\-ts mod p , wherein: 

r is a random number selected by the first cryptography device; 
s is the first cryptography device's secret key; and 
10 5 p is a large prime number; 

c. transmitting the electrical signal containing a response to said second cryptography 

device; 

d. transmitting the electrical signal containing the same challenge t to said first 
cryptography device; 

110 e. in response to receipt of the electrical signal containing the challenge t, generating 

in said first cryptography device an electrical signal comprising a stream of bits containing a 
second response of form u = r -}-xmod p , wherein: 

f is an erroneous value of r and x is ts mod p; 

f. in response to receipt of electrical signal containing the second response, 
115 determining in said second cryptography device a location of the error; and 

g. generating an output electrical signal comprising a stream of bits containing the 
secret integer Si. 

52. The method of claim 51 wherein the step of determining the location of the error 
further comprises the steps of trying all possible locations of the error. 

12 0 53. The method of claim 52 wherein the step of trying all possible locations further 

includes the step of determining in said second cryptography device which location for the 
error satisfies: 

g' = 8"g' 8" {mod p) 

wherein: 

12 5 ^ is a generator of Z* ; and 

/ is a location of the error. 
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, AMENDMENT TRANSMITTAL LETTER (Large Entity) 
Applicant(s): D. Boneh, R. DeMillo, R. Lipton 


Docket No. 
APP1245-US 


Serial No. 
09/516,910 


Filing Date 
03/01/2000 


Exanniner 
not assigned 




tiSiroup Art Unit 


Invention: Method of Using Transient Faults to Verify the Security of a Cryptosystem 3: CD 
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TO THE ASSISTANT COMMISSIONER FOR PATENTS: 

Trari'rf^ttftSLilasJfe^ith is an amendment in the above-identified application. 
The fee has been calculated and is transmitted as shown below. 



CLAIMS AS AMENDED 



CLAIMS REMAINING 
AFTER AMENDMENT 



HIGHEST # 
PREV. PAID FOR 



NUMBER EXTRA 
CLAIMS PRESENT 



RATE 



ADDITIONAL 
FEE 



TOTAL CLAIMS 



14 



39 



$18.00 



$0.00 



INDEP. CLAIMS 



0 X $78.00 



$0.00 



Multiple Dependent Claims (check If applicable) 



$0.00 



TOTAL ADDITIONAL FEE FOR THIS AMENDMENT 



$0.00 



in the amount of 



□ No additional fee is required for amendment. 

□ Please charge Deposit Account No. 
A duplicate copy of this sheet is enclosed. 

□ A check in the amount of to cover the filing fee is enclosed. 

Kl The Commissioner is hereby authorized to charge payment of the following fees associated with this 
communication or credit any overpayment to Deposit Account No. 02-1820 
A duplicate copy of this sheet Is enclosed. 

Any additional filing fees required under 37 C.F.R. 1.16. 
Kl Any paterjt application processing fees under 37 CFR 1 .17. 

Dated: 

Signature ^ 

James W. FaM 
Reg. No. 16154 
Telcordia Technologies, Inc. 
Morristown, NJ 07960 




cc: 



I certify, that .this document and fee is being deposited 
on ^1 ^(4! 0C> with the U.S. Postal Service as 

first class mail under 37 C.F.R. 1.8 and is addressed to the 
Assistant Commissioner for Patents, Washington, D.C. 
20231 . 




ignature of Person Mailing Correspondence 



Linda K. Adams 



Typed or Printed Name of Person Mailing Correspondence 
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